[Mailman-Users] mailman user account and login

[Patrick Bogen]

On 2/4/07, vancleef at lostwells.net <vancleef at lostwells.net> wrote:
> The mailman installation manual seems to imply that the mailman
> account should be added with no ability to log in to it.  I translated
> what appeared to me to be the sense of the line given to Solaris.
As with most daemon accounts..

> However, after having gone through several fire drills of resetting
> file owner from root to mailman, I've set the account up with the
> directory /usr/local/mailman and "NP" in the /etc/shadow file.
> This allows me to su - mailman from root, but not to get a login
> from anywhere else.  This is the same setup as is used for other
> Solaris "blind" accounts.
I don't see any reason that this would cause alarm. For caveat, see below...

> Is there any real reason not to use the account this way?  I'm aware
> that Mailman security is based on group identity, not user, but
> external programs such as htdig running under cron need to have
> uid mailman in files it writes to or to be set up as a mailman-uid
> program.  My personal preference is to set the needed uid's in the
> mailman runtime tree.
The main concern with this type of setup is that someone might be able
to exploit a vulnerability in mailman or htdig or whatever to obtain a
login shell for the users they run as. If that login shell is
/bin/false, well, they can just do whatever they want (i.e., nothing
at all) with that. If it's bash, well- that's another story
altogether.

Please note: The mailman user shouldn't *need* a valid shell for
programs to be running with its privileges. If there's not a reason
you need to login (either via su or something else), you're probably
better off giving mailman an invalid shell.

-- 
- Patrick Bogen